import express from "express";
const router = express.Router();

let balance = 1000;

router.post("/transfer", (req, res) => {
  // 1. SameSite Cookie防御
  //   - 配置 res.cookie('token', '...', { sameSite: 'strict' })，攻击 iframe 场景下不带 cookie
  // 2. Referer 防御
  // const enableReferer = req.body.enableReferer || false;
  if (req.app.get("enableReferer")) {
    const referer = req.headers.referer || "";
    if (!referer.startsWith("http://localhost")) {
      return res.json({ success: false, msg: "Referer校验失败" });
    }
  }
  // 3. Token 防御
  if (req.app.get("enableToken")) {
    if (req.headers["x-csrf-token"] !== "mock-csrf-token") {
      return res.json({ success: false, msg: "CSRF Token校验失败" });
    }
  }
  // 4. 业务逻辑
  balance -= 100;
  res.json({ success: true, balance });
});

// ES Module 写法必须 export default
export default router;
